commit 6ef19d5be91691cee2d86432def1a4ea81e53428 Author: salmonstill Date: Fri Apr 24 00:42:59 2026 +0800 第一次初始化 diff --git a/VPS流量转发架构说明.md b/VPS流量转发架构说明.md new file mode 100644 index 0000000..3bb731f --- /dev/null +++ b/VPS流量转发架构说明.md @@ -0,0 +1,86 @@ +# VPS流量转发架构说明 +## 总览 +这套架构基于Xray+Nginx SNI分流实现,完全基于443端口HTTPS流量伪装,实现三个核心功能: +1. 反向代理内网服务到公网(无需公网IPv6/端口映射) +2. 异地多VPS链路中转代理(mihomo客户端接入) +3. 统一公网入口流量管理(所有流量走443端口,无额外端口暴露) + +--- +## 设备清单说明 +| 设备 | IP/域名 | 说明 | +|---|---|---| +| 北京VPS | `salmonstill.cn` | 公网入口节点,Nginx+Xray服务部署在这里 | +| 东京VPS | `tokyo.salmonstill.cn` | 代理出口节点,Xray服务部署在这里 | +| 旁路由 | `192.168.1.199` | 内网反向代理节点,Xray桥接服务部署在这里 | +| NAS | `192.168.1.188` | 内网存储服务,部署了思源笔记、绿联云管理界面 | +| Windows台式机 | `192.168.1.177` | 内网办公设备,提供WSL SSH服务 | + +--- +## 核心组件说明 +### 1. 北京VPS(公网入口节点) +#### Nginx Stream SNI分流层 +配置文件:`beijing-vps-stream.conf` +根据SSL握手阶段的ServerName字段,将不同域名的流量转发到不同后端服务: +| 域名 | 后端服务 | 作用 | +|---|---|---| +| `www.apple.com` | Xray 9443端口 | 旁路由反向代理隧道 | +| `www.microsoft.com` | Xray 9444端口 | Mihomo客户端代理入口 | +| `drive.salmonstill.cn` | 38653端口 | 绿联云NAS服务直接转发 | +| 其他域名 | Nginx Proxy Manager 8443端口 | 常规Web服务管理 | + +#### Xray服务层 +配置文件:`beijing-vps-config.json` +包含两个核心入站和一个出站: +- **interconn入站(9443端口)**:VLESS+Reality协议,接收旁路由的反向代理桥接连接 +- **mihomo_in入站(9444端口)**:VLESS+Reality协议,接收外部Mihomo客户端的代理连接 +- **to_tokyo出站**:VLESS+Reality协议,将代理流量转发到东京VPS出口 + +--- +### 2. 旁路由(内网反向代理节点) +配置文件:`旁路由-config.json` +基于Xray反向代理桥接模式实现内网服务穿透: +- **bridge桥接组件**:和北京VPS的portal组件建立永久隧道,将公网过来的反向代理流量转发到内网 +- 路由规则根据端口自动转发到对应内网服务: + | 端口 | 内网目标 | 服务 | + |---|---|---| + | 38653 | 192.168.1.188:9443 | NAS管理界面 | + | 38654 | 192.168.1.188:5005 | 思源笔记 | + | 38655 | 192.168.1.177:22 | WSL SSH服务 | + | 39132 | 127.0.0.1:39132 | Minecraft游戏服务 | + +--- +### 3. 东京VPS(代理出口节点) +配置文件:`tokyo-vps-config.json` +极简配置的Xray出口节点: +- 入站:VLESS+Reality协议,接收北京VPS转发的代理请求 +- 出站:直接freedom出口访问国际网络 + +--- +## 流量路径说明 +### 1. 内网服务反向代理访问路径(比如访问drive.salmonstill.cn) +``` +用户 → 北京VPS 443端口 → Nginx匹配SNI `drive.salmonstill.cn` → 转发到38653端口 dokodemo-door入站 +→ Xray路由转发到portal反向代理组件 → 走已经建立的隧道到旁路由bridge组件 +→ 旁路由路由匹配端口38653 → 转发到内网NAS 192.168.1.188:9443 → 响应原路返回 +``` + +### 2. Mihomo代理访问路径 +``` +Mihomo客户端 → 北京VPS 443端口 → Nginx匹配SNI `www.microsoft.com` → 转发到9444端口 mihomo_in入站 +→ Xray路由转发到to_tokyo出站 → 加密传输到东京VPS 443端口 → 东京Xray入站接收请求 +→ 直接访问国际网络 → 响应原路返回 +``` + +--- +## 架构优势 +1. **极致伪装**:所有流量都走443端口HTTPS,不同流量通过SNI区分,完全和正常网站访问一致,无特征被封 +2. **零额外端口暴露**:除了443端口没有任何公网开放端口,安全性拉满 +3. **高可用性**:反向代理隧道永久在线,内网服务无需公网IP/端口映射即可访问 +4. **性能损耗低**:Xray Reality协议性能优异,中转延迟增加<10ms +5. **易扩展**:新增内网服务只需要在旁路由添加对应的路由规则即可,无需修改公网配置 + +--- +## 配置要点 +1. Reality公私钥配对:客户端的publicKey必须和对应服务端的privateKey严格匹配 +2. SNI一致性:客户端请求的ServerName必须和Nginx分流规则以及Xray Reality配置的serverNames完全一致 +3. 端口映射:Nginx分流的后端端口必须和Xray入站监听端口严格对应 diff --git a/beijing-vps-stream.conf b/beijing-vps-stream.conf new file mode 100644 index 0000000..a53fbf6 --- /dev/null +++ b/beijing-vps-stream.conf @@ -0,0 +1,27 @@ +stream { + map $ssl_preread_server_name $backend { + www.apple.com xray; # 旁路由反向代理隧道 + www.microsoft.com mihomo; # 新增:mihomo出站流量 + drive.salmonstill.cn nas; # 绿联云服务 + default npm; # Nginx Proxy Manager + } + upstream xray { + server 127.0.0.1:9443; + } + # 新增mihomo upstream + upstream mihomo { + server 127.0.0.1:9444; + } + upstream nas { + server 127.0.0.1:38653; + } + upstream npm { + server 127.0.0.1:8443; + } + server { + listen 443 reuseport; + listen [::]:443 reuseport; + ssl_preread on; + proxy_pass $backend; + } +} \ No newline at end of file diff --git a/subscribe-7891-only.yaml b/subscribe-7891-only.yaml new file mode 100644 index 0000000..9f5a7f4 --- /dev/null +++ b/subscribe-7891-only.yaml @@ -0,0 +1,49 @@ +mixed-port: 7890 +allow-lan: true +bind-address: '*' +mode: rule +log-level: info +external-controller: '127.0.0.1:9090' + +find-process-mode: off + +dns: + enable: true + ipv6: false + enhanced-mode: fake-ip + fake-ip-range: 198.18.0.1/16 + default-nameserver: + - tls://223.5.5.5 + - tls://223.6.6.6 + nameserver: + - https://dns.alidns.com/dns-query + - https://doh.pub/dns-query + respect-rules: false + +proxies: + - name: Xray-Real + type: vless + server: salmonstill.cn + port: 443 + uuid: "113e167a-a2be-4b46-9010-60020108626c" + udp: true + flow: xtls-rprx-vision + packet-encoding: xudp + tls: true + servername: www.microsoft.com + client-fingerprint: chrome + reality-opts: + public-key: "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs" + short-id: "7c947a71b94f369e" + network: tcp + +listeners: + - name: global-mixed + type: mixed + port: 7891 + listen: 0.0.0.0 + udp: true + proxy: Xray-Real + +rules: + - MATCH,DIRECT \ No newline at end of file diff --git a/subscribe.yaml b/subscribe.yaml new file mode 100644 index 0000000..f13bb9a --- /dev/null +++ b/subscribe.yaml @@ -0,0 +1,307 @@ +# ======================== +# Clash-ALL 思路(单上游 Xray Reality 精简版) + 额外端口:7891 全局代理 + 7892 强制直连 +# ======================== + +mixed-port: 7890 +allow-lan: true +bind-address: '*' +mode: rule +log-level: info +external-controller: '127.0.0.1:9090' + +find-process-mode: off + +dns: + enable: true + ipv6: false + prefer-h3: false + use-hosts: false + use-system-hosts: true + enhanced-mode: fake-ip + fake-ip-range: 198.18.0.1/16 + fake-ip-filter: + - geosite:private + - geosite:tracker + - geosite:cn + - geosite:apple@cn + - geosite:microsoft@cn + - geosite:microsoft + - '+.lan' + - '+.local' + default-nameserver: + - tls://223.5.5.5 + - tls://223.6.6.6 + nameserver: + - https://9.9.9.9/dns-query + - https://149.112.112.112/dns-query + - https://94.140.14.14/dns-query + - https://94.140.15.15/dns-query + proxy-server-nameserver: + - https://dns.alidns.com/dns-query + - https://doh.pub/dns-query + direct-nameserver: + - https://dns.alidns.com/dns-query + - https://doh.pub/dns-query + respect-rules: true + +# ======================== +# 代理定义 +# ======================== +proxies: + - name: 直连 + type: direct + - name: 拒绝 + type: reject + + - name: Xray-Real + type: vless + server: salmonstill.cn + port: 443 + uuid: "113e167a-a2be-4b46-9010-60020108626c" + udp: true + flow: xtls-rprx-vision + packet-encoding: xudp + tls: true + servername: www.microsoft.com + client-fingerprint: chrome + reality-opts: + public-key: "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs" + short-id: "7c947a71b94f369e" + network: tcp + +# ======================== +# 策略组 +# ======================== +proxy-groups: + - name: 国内 + type: select + proxies: [直连] + + - name: 国外 + type: select + proxies: [Xray-Real, 直连] + + - name: Steam-rule + type: select + proxies: [国内, 国外, 直连] + + - name: Microsoft-rule + type: select + proxies: [国内, 国外, 直连] + + - name: AI + type: select + proxies: [国外, 国内, 直连] + + - name: Stream Media + type: select + proxies: [国外, 国内, 直连] + + - name: GitHub + type: select + proxies: [国外, 国内, 直连] + + - name: Crypto + type: select + proxies: [国外, 国内, 直连] + + - name: Block + type: select + proxies: [拒绝, 直连] + + - name: 其他 + type: select + proxies: [国内, 国外, 直连, 拒绝] + +# ======================== +# rule-providers +# ======================== +rule-providers: + Ads: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/category-ads-all.mrs + path: ./rule-providers/ads.mrs + proxy: 国外 + + Private_Domain: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/private.mrs + path: ./rule-providers/private_domain.mrs + proxy: 国外 + + Private_IP: + type: http + behavior: ipcidr + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/private.mrs + path: ./rule-providers/private_ip.mrs + proxy: 国外 + + China_Domain: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/cn.mrs + path: ./rule-providers/cn_domain.mrs + proxy: 国外 + + China_IP: + type: http + behavior: ipcidr + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/cn.mrs + path: ./rule-providers/cn_ip.mrs + proxy: 国外 + + Oracle: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/oracle.mrs + path: ./rule-providers/oracle.mrs + proxy: 国外 + + OpenAI: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/openai.mrs + path: ./rule-providers/openai.mrs + proxy: 国外 + + GitHub_Domain: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/github.mrs + path: ./rule-providers/github.mrs + proxy: 国外 + + Netflix_Domain: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/netflix.mrs + path: ./rule-providers/netflix_domain.mrs + proxy: 国外 + + Netflix_IP: + type: http + behavior: ipcidr + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geoip/netflix.mrs + path: ./rule-providers/netflix_ip.mrs + proxy: 国外 + + Steam_CN: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/steam@cn.mrs + path: ./rule-providers/steam_cn.mrs + proxy: 国外 + + Steam: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/steam.mrs + path: ./rule-providers/steam.mrs + proxy: 国外 + + GFW: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/gfw.mrs + path: ./rule-providers/gfw.mrs + proxy: 国外 + + Geo_NoCN: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/geolocation-!cn.mrs + path: ./rule-providers/geo_nocn.mrs + proxy: 国外 + + Microsoft: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/microsoft.mrs + path: ./rule-providers/microsoft.mrs + proxy: 国外 + + Crypto: + type: http + behavior: domain + format: mrs + interval: 86400 + url: https://raw.githubusercontent.com/MetaCubeX/meta-rules-dat/meta/geo/geosite/category-cryptocurrency.mrs + path: ./rule-providers/crypto.mrs + proxy: 国外 + +# ======================== +# 多监听器部分 +# ======================== +listeners: + - name: global-mixed + type: mixed + port: 7891 + listen: 127.0.0.1 + udp: true + proxy: Xray-Real + + - name: direct-mixed + type: mixed + port: 7892 + listen: 127.0.0.1 + udp: true + proxy: 直连 + +# ======================== +# rules +# ======================== +rules: + - DOMAIN,vs18.bj2cu.u3.ucweb.com,拒绝 + - DOMAIN-SUFFIX,salmonstill.cn,直连 + - DOMAIN-KEYWORD,raylink,直连 + - IP-CIDR,49.232.242.90/32,直连 + - IP-CIDR,43.165.178.10/32,直连 + - RULE-SET,Ads,Block + - RULE-SET,Private_Domain,国内 + - RULE-SET,Private_IP,国内,no-resolve + - RULE-SET,China_Domain,国内 + - RULE-SET,Oracle,国内 + - RULE-SET,China_IP,国内,no-resolve + - RULE-SET,OpenAI,AI + - RULE-SET,GitHub_Domain,GitHub + - RULE-SET,Netflix_Domain,Stream Media + - RULE-SET,Netflix_IP,Stream Media,no-resolve + - RULE-SET,Steam_CN,国内 + - RULE-SET,Steam,Steam-rule + - RULE-SET,Microsoft,Microsoft-rule + - RULE-SET,Crypto,Crypto + - RULE-SET,GFW,国外 + - RULE-SET,Geo_NoCN,国外 + - MATCH,其他 \ No newline at end of file diff --git a/tokyo-vps-config.json b/tokyo-vps-config.json new file mode 100644 index 0000000..f50017b --- /dev/null +++ b/tokyo-vps-config.json @@ -0,0 +1,44 @@ +{ + "log": { + "loglevel": "warning" + }, + "inbounds": [ + { + "listen": "127.0.0.1", + "port": 9443, + "protocol": "vless", + "settings": { + "clients": [ + { + "id": "4d222c16-53bb-4402-814e-c8188cebcea6", + "level": 0, + "flow": "xtls-rprx-vision" + } + ], + "decryption": "none" + }, + "streamSettings": { + "network": "raw", + "security": "reality", + "realitySettings": { + "show": false, + "dest": "www.microsoft.com:443", + "xver": 0, + "serverNames": [ + "www.microsoft.com" + ], + "privateKey": "iBlu3eH1VLf1S5Qw87m_1w0TGYUktDwHAzgpQ2aKuGI", + "shortIds": [ + "a1b2c3d4" + ] + } + } + } + ], + "outbounds": [ + { + "protocol": "freedom", + "tag": "direct" + } + ] +} diff --git a/xray-北京vps-config.json b/xray-北京vps-config.json new file mode 100644 index 0000000..42e422c --- /dev/null +++ b/xray-北京vps-config.json @@ -0,0 +1,290 @@ +{ + "log": { + "loglevel": "warning" + }, + "reverse": { + "portals": [ + { + "tag": "portal", + "domain": "reverse-proxy.xray.internal" + } + ] + }, + "inbounds": [ + { + "tag": "external", + "listen": "0.0.0.0", + "port": 38653, + "protocol": "dokodemo-door", + "settings": { + "address": "127.0.0.1", + "port": 38653, + "network": "tcp" + } + }, + { + "tag": "external_siyuan", + "listen": "0.0.0.0", + "port": 38654, + "protocol": "dokodemo-door", + "settings": { + "address": "127.0.0.1", + "port": 38654, + "network": "tcp" + } + }, + { + "tag": "external_minecraft", + "listen": "0.0.0.0", + "port": 39132, + "protocol": "dokodemo-door", + "settings": { + "address": "127.0.0.1", + "port": 39132, + "network": "tcp" + } + }, + { + "tag": "external_wsl", + "listen": "0.0.0.0", + "port": 38655, + "protocol": "dokodemo-door", + "settings": { + "address": "127.0.0.1", + "port": 38655, + "network": "tcp" + } + }, + { + "tag": "external_nas_ssh", + "listen": "0.0.0.0", + "port": 38656, + "protocol": "dokodemo-door", + "settings": { + "address": "127.0.0.1", + "port": 38656, + "network": "tcp" + } + }, + { + "tag": "external_router_ssh", + "listen": "0.0.0.0", + "port": 38657, + "protocol": "dokodemo-door", + "settings": { + "address": "127.0.0.1", + "port": 38657, + "network": "tcp" + } + }, + { + "tag": "proxy_in", + "listen": "127.0.0.1", + "port": 10809, + "protocol": "mixed", + "settings": { + "udp": true + } + }, + { + "tag": "external_router_web", + "listen": "0.0.0.0", + "port": 39766, + "protocol": "dokodemo-door", + "settings": { + "address": "127.0.0.1", + "port": 39766, + "network": "tcp" + } + }, + { + "tag": "external_tmp", + "listen": "0.0.0.0", + "port": 8501, + "protocol": "dokodemo-door", + "settings": { + "address": "127.0.0.1", + "port": 8501, + "network": "tcp" + } + }, + { + "tag": "interconn", + "listen": "127.0.0.1", + "port": 9443, + "protocol": "vless", + "settings": { + "clients": [ + { + "id": "113e167a-a2be-4b46-9010-60020108626c", + "flow": "xtls-rprx-vision" + } + ], + "decryption": "none" + }, + "streamSettings": { + "network": "raw", + "security": "reality", + "realitySettings": { + "show": false, + "target": "www.apple.com:443", + "serverNames": [ + "www.apple.com" + ], + "privateKey": "GGT9LfN_2JdQG68cwrULgUK-adfT6wIokLzWjaB0fXs", + "shortIds": [ + "7c947a71b94f369e" + ] + } + } + }, + { + "tag": "mihomo_in", + "listen": "127.0.0.1", + "port": 9444, + "protocol": "vless", + "settings": { + "clients": [ + { + "id": "113e167a-a2be-4b46-9010-60020108626c", + "flow": "xtls-rprx-vision" + } + ], + "decryption": "none" + }, + "streamSettings": { + "network": "raw", + "security": "reality", + "realitySettings": { + "show": false, + "target": "www.microsoft.com:443", + "serverNames": [ + "www.microsoft.com" + ], + "privateKey": "GGT9LfN_2JdQG68cwrULgUK-adfT6wIokLzWjaB0fXs", + "shortIds": [ + "7c947a71b94f369e" + ] + } + } + } + ], + "outbounds": [ + { + "tag": "direct", + "protocol": "freedom" + }, + { + "tag": "to_tokyo", + "protocol": "vless", + "settings": { + "vnext": [ + { + "address": "tokyo.salmonstill.cn", + "port": 443, + "users": [ + { + "id": "4d222c16-53bb-4402-814e-c8188cebcea6", + "encryption": "none", + "flow": "xtls-rprx-vision" + } + ] + } + ] + }, + "streamSettings": { + "network": "raw", + "security": "reality", + "realitySettings": { + "show": false, + "fingerprint": "chrome", + "serverName": "www.microsoft.com", + "password": "jr_zQjC4mvlQITuG5Ap5Mxqe5EBbGyyvwbVLDEi8OCA", + "shortId": "a1b2c3d4", + "spiderX": "/" + } + } + } + ], + "routing": { + "rules": [ + { + "type": "field", + "inboundTag": [ + "external" + ], + "outboundTag": "portal" + }, + { + "type": "field", + "inboundTag": [ + "external_siyuan" + ], + "outboundTag": "portal" + }, + { + "type": "field", + "inboundTag": [ + "external_minecraft" + ], + "outboundTag": "portal" + }, + { + "type": "field", + "inboundTag": [ + "external_wsl" + ], + "outboundTag": "portal" + }, + { + "type": "field", + "inboundTag": [ + "external_nas_ssh" + ], + "outboundTag": "portal" + }, + { + "type": "field", + "inboundTag": [ + "external_router_ssh" + ], + "outboundTag": "portal" + }, + { + "type": "field", + "inboundTag": [ + "external_tmp" + ], + "outboundTag": "portal" + }, + { + "type": "field", + "inboundTag": [ + "external_router_web" + ], + "outboundTag": "portal" + }, + { + "type": "field", + "inboundTag": [ + "proxy_in" + ], + "outboundTag": "to_tokyo" + }, + { + "type": "field", + "inboundTag": [ + "interconn" + ], + "outboundTag": "portal" + }, + { + "type": "field", + "inboundTag": [ + "mihomo_in" + ], + "outboundTag": "to_tokyo" + } + ] + } +} \ No newline at end of file diff --git a/xray-旁路由-config.json b/xray-旁路由-config.json new file mode 100644 index 0000000..9d4e2e2 --- /dev/null +++ b/xray-旁路由-config.json @@ -0,0 +1,183 @@ +{ + "log": { + "loglevel": "info" + }, + "reverse": { + "bridges": [ + { + "tag": "bridge", + "domain": "reverse-proxy.xray.internal" + } + ] + }, + "outbounds": [ + { + "tag": "to_nas", + "protocol": "freedom", + "settings": { + "redirect": "192.168.1.188:9443" + } + }, + { + "tag": "to_siyuan", + "protocol": "freedom", + "settings": { + "redirect": "192.168.1.188:5005" + } + }, + { + "tag": "to_wsl", + "protocol": "freedom", + "settings": { + "redirect": "192.168.1.177:22" + } + }, + { + "tag": "to_nas_ssh", + "protocol": "freedom", + "settings": { + "redirect": "192.168.1.188:22" + } + }, + { + "tag": "to_router_ssh", + "protocol": "freedom", + "settings": { + "redirect": "192.168.1.199:22" + } + }, + { + "tag": "to_router_web", + "protocol": "freedom", + "settings": { + "redirect": "192.168.1.199:80" + } + }, + { + "tag": "to_minecraft", + "protocol": "freedom", + "settings": { + "redirect": "127.0.0.1:39132" + } + }, + { + "tag": "to_tmp", + "protocol": "freedom", + "settings": { + "redirect": "192.168.1.177:8501" + } + }, + { + "tag": "interconn", + "protocol": "vless", + "settings": { + "vnext": [ + { + "address": "salmonstill.cn", + "port": 443, + "users": [ + { + "id": "113e167a-a2be-4b46-9010-60020108626c", + "encryption": "none", + "flow": "xtls-rprx-vision" + } + ] + } + ] + }, + "streamSettings": { + "network": "raw", + "security": "reality", + "realitySettings": { + "show": false, + "fingerprint": "chrome", + "serverName": "www.apple.com", + "password": "62y5gDjPrdeuePGl-D2IW4Cw9Kb8_bSBBTmArvL7Nhs", + "shortId": "7c947a71b94f369e", + "spiderX": "/search?q=xray" + } + } + }, + { + "tag": "direct", + "protocol": "freedom" + } + ], + "routing": { + "rules": [ + { + "type": "field", + "inboundTag": [ + "bridge" + ], + "domain": [ + "full:reverse-proxy.xray.internal" + ], + "outboundTag": "interconn" + }, + { + "type": "field", + "inboundTag": [ + "bridge" + ], + "port": "38654", + "outboundTag": "to_siyuan" + }, + { + "type": "field", + "inboundTag": [ + "bridge" + ], + "port": "38655", + "outboundTag": "to_wsl" + }, + { + "type": "field", + "inboundTag": [ + "bridge" + ], + "port": "38656", + "outboundTag": "to_nas_ssh" + }, + { + "type": "field", + "inboundTag": [ + "bridge" + ], + "port": "38657", + "outboundTag": "to_router_ssh" + }, + { + "type": "field", + "inboundTag": [ + "bridge" + ], + "port": "8501", + "outboundTag": "to_tmp" + }, + { + "type": "field", + "inboundTag": [ + "bridge" + ], + "port": "39766", + "outboundTag": "to_router_web" + }, + { + "type": "field", + "inboundTag": [ + "bridge" + ], + "port": "39132", + "outboundTag": "to_minecraft" + }, + { + "type": "field", + "inboundTag": [ + "bridge" + ], + "outboundTag": "to_nas" + } + ] + } +} \ No newline at end of file diff --git a/东京-vps-stream.conf b/东京-vps-stream.conf new file mode 100644 index 0000000..6cdccc7 --- /dev/null +++ b/东京-vps-stream.conf @@ -0,0 +1,18 @@ +stream { + map $ssl_preread_server_name $backend { + www.microsoft.com xray; + default npm; + } + upstream xray { + server 127.0.0.1:9443; + } + upstream npm { + server 127.0.0.1:8443; + } + server { + listen 443 reuseport; + listen [::]:443 reuseport; + ssl_preread on; + proxy_pass $backend; + } +} diff --git a/我的世界udp转发.md b/我的世界udp转发.md new file mode 100644 index 0000000..9efd361 --- /dev/null +++ b/我的世界udp转发.md @@ -0,0 +1,245 @@ +# Minecraft 基岩版 UDP 转发配置文档 + +## 架构 + +``` +公网玩家 (UDP 19132) + ↓ +北京VPS (salmonstill.cn) +socat 监听 19132 → 转发到 10.0.0.2:19132 + ↓ WireGuard 隧道 +旁路由 ImmortalWrt (192.168.1.199 / 10.0.0.2) +nftables 端口转发 + SNAT + ↓ +NAS (192.168.1.188:19132) + ↓ +Minecraft 基岩版 Docker 容器 +``` + +--- + +## 设备信息 + +| 设备 | IP | 系统 | +|---|---|---| +| 北京VPS | `salmonstill.cn` / `49.232.242.90` | Ubuntu 22.04 | +| 旁路由 | `192.168.1.199` / WG隧道: `10.0.0.2` | ImmortalWrt 24.10 (GL-MT2500) | +| NAS | `192.168.1.188` | 绿联云 UGOS | + +--- + +## 第一部分:北京VPS 配置 + +### WireGuard 配置 `/etc/wireguard/wg0.conf` + +```ini +[Interface] +Address = 10.0.0.1/24 +ListenPort = 51820 +PrivateKey = <北京VPS私钥> +MTU = 1420 + +# 回包源地址转换(必须,否则公网玩家收不到回包) +PostUp = iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE +PostDown = iptables -t nat -D POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE + +[Peer] +# 旁路由 +PublicKey = 9jPlaUhx2Dc+C5ZqJx6Iu8GtNMig3cFIoqfHg8PZbCA= +AllowedIPs = 10.0.0.2/32 +PersistentKeepalive = 25 +``` + +> ⚠️ 不使用 iptables DNAT 转发,改用 socat 处理 UDP 转发,避免 conntrack 连接跟踪问题导致回包丢失。 + +### 开启内核转发 + +```bash +echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf +sysctl -p +``` + +### 开放防火墙端口 + +```bash +ufw allow 51820/udp # WireGuard +ufw allow 19132/udp # Minecraft 基岩版 +``` + +### 启动 WireGuard + +```bash +systemctl enable wg-quick@wg0 +systemctl start wg-quick@wg0 +``` + +### socat UDP 转发 + +socat 监听公网 19132 端口,收到包后转发给旁路由隧道 IP,并维护连接状态确保回包正确返回。 + +创建 systemd service: + +```bash +nano /etc/systemd/system/mc-forward.service +``` + +```ini +[Unit] +Description=Minecraft UDP Forward +After=network.target + +[Service] +ExecStart=/usr/bin/socat UDP4-LISTEN:19132,fork,reuseaddr UDP4:10.0.0.2:19132 +Restart=always + +[Install] +WantedBy=multi-user.target +``` + +启动并设置开机自启: + +```bash +systemctl daemon-reload +systemctl enable mc-forward +systemctl start mc-forward +``` + +--- + +## 第二部分:旁路由 ImmortalWrt 配置 + +### WireGuard 接口配置 + +路径:**网络 → 接口 → 添加新接口** + +**常规设置:** + +| 字段 | 值 | +|---|---| +| 接口名称 | `WireGuard` | +| 协议 | `WireGuard VPN` | +| 私钥 | `<旁路由私钥>` | +| IP 地址 | `10.0.0.2/24` | +| 监听端口 | 不填 | + +**防火墙设置:** 加入 `wan` 区域 + +**Peers → 添加对端:** + +| 字段 | 值 | +|---|---| +| 公钥 | `n159R7bNB+tW3Br0cok2zA27Pzg2WSPTI9uQ9odOFyU=` | +| 端点主机 | `salmonstill.cn` | +| 端点端口 | `51820` | +| 允许的 IP | `0.0.0.0/0` | +| 路由允许的 IP | ✅ 勾选 | +| 持续 Keep-Alive | `25` | + +> ⚠️ 允许的 IP 必须设为 `0.0.0.0/0`,否则 WireGuard 会丢弃来自公网玩家 IP 的包。 + +### 端口转发配置 + +路径:**网络 → 防火墙 → 端口转发 → 添加** + +| 字段 | 值 | +|---|---| +| 名称 | `Minecraft-udp` | +| 协议 | `UDP` | +| 源区域 | `wan` | +| 外部端口 | `19132` | +| 目标区域 | `lan` | +| 内部 IP 地址 | `192.168.1.188` | +| 内部端口 | `19132` | + +### SNAT 配置 + +路径:**网络 → 防火墙 → NAT 规则 → 添加** + +| 字段 | 值 | +|---|---| +| 名称 | `minecraft-snat` | +| 地址族限制 | `仅 IPv4` | +| 协议 | `UDP` | +| 出站区域 | `lan` | +| 目标地址 | `192.168.1.188` | +| 目标端口 | `19132` | +| 操作 | `SNAT - 重写为特定的源 IP 或端口` | +| 重写 IP 地址 | `192.168.1.199` | + +> SNAT 的作用:将转发给 NAS 的包源 IP 改为旁路由 IP,确保 NAS 的回包发回给旁路由而不是直接走主路由,避免回包路径不对称。 + +--- + +## 第三部分:NAS Docker 配置 + +使用 `network_mode: host` 避免 Docker NAT 导致的 IP 映射问题。 + +```yaml +services: + bedrock: + image: itzg/minecraft-bedrock-server:2026.2.1 + container_name: mc-bedrock + network_mode: host + stdin_open: true + tty: true + environment: + EULA: "TRUE" + VERSION: "1.26.14.1" + TZ: "Asia/Shanghai" + OPS: "2535472561115036" + volumes: + - /volume2/ProgramsV2/minecraft:/data + restart: unless-stopped +``` + +--- + +## 第四部分:验证 + +### 检查 WireGuard 隧道 + +```bash +# 旁路由 +wg show +# 正常应有 latest handshake 和双向 transfer +``` + +### 检查 socat 运行状态 + +```bash +systemctl status mc-forward +``` + +### 抓包验证完整链路 + +```bash +# VPS 上抓 wg0,确认双向流量 +tcpdump -i wg0 udp port 19132 -n + +# 旁路由抓 br-lan,确认转发到 NAS +tcpdump -i br-lan udp port 19132 -n + +# NAS 上抓包,确认收到并回包 +sudo tcpdump -i bridge0 udp port 19132 -n +``` + +--- + +## 故障排查 + +| 现象 | 排查方法 | +|---|---| +| WireGuard 无握手 | 检查 VPS 防火墙 51820/udp 是否开放 | +| socat 收不到包 | 检查 ufw 19132/udp 是否开放 | +| 旁路由收不到包 | 检查 WireGuard AllowedIPs 是否为 `0.0.0.0/0` | +| NAS 收不到包 | 检查端口转发内部端口是否填写正确 | +| NAS 有回包但玩家连不上 | 检查 SNAT 规则是否生效,确认 NAS 用 host 网络模式 | +| 游戏内延迟不显示 | 检查 socat 是否正常运行,DNAT 规则是否已删除 | + +--- + +## 扩展:新增其他 UDP 服务 + +1. VPS 新建一个 socat service,修改端口号 +2. 旁路由 LuCI 端口转发新增一条规则 +3. `ufw allow <新端口>/udp` diff --git a/旁路由备份/backup-ImmortalWrt-2026-04-17.tar.gz b/旁路由备份/backup-ImmortalWrt-2026-04-17.tar.gz new file mode 100644 index 0000000..00323c4 Binary files /dev/null and b/旁路由备份/backup-ImmortalWrt-2026-04-17.tar.gz differ diff --git a/旁路由备份/backup-ImmortalWrt-2026-04-18.tar.gz b/旁路由备份/backup-ImmortalWrt-2026-04-18.tar.gz new file mode 100644 index 0000000..444f019 Binary files /dev/null and b/旁路由备份/backup-ImmortalWrt-2026-04-18.tar.gz differ